Spam and virus protection in Office 365 Small Business

Spam filtering and virus protection are automatically enabled on all inbound and outbound email messages by Microsoft Exchange Online Protection (EOP), the anti-spam and anti-malware service included with Office 365. The EOP service applies multi-layered filters and scanning engines to help protect your organization from email-borne threats.

Although no admin setup or management is required for Office 365 Small Business, you can customize anti-spam settings for your organization. Individual users can also manage the spam settings for their own mailbox.

How does spam filtering work?

Every message, inbound and outbound, is assigned a spam confidence level (SCL) based on the likelihood that the message is spam. Depending on the SCL, an inbound message may be relayed directly to the user’s Junk Email folder. All content-filtered messages are relayed to the user’s Junk Email folder by default. On outbound messages, if the SCL indicates that a message is spam, it is either routed through the high risk delivery pool, or it is bounced and not delivered. If the message isn’t delivered, the sender should receive a message, called a delivery status notification (DSN), telling them that the message couldn’t be delivered.

How do I customize the anti-spam settings for my organization

You customize anti-spam settings by managing content filter policies. You can edit the default content-filter policy to configure your company-wide content filter settings. You can also create custom content filter policies and apply them to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.

Content filter settings include selecting the action to take on messages identified as spam, and choosing whether to filter messages written in specific languages, or sent from specific countries or regions. Additionally, you can enable advanced spam filtering options if you want to pursue an aggressive approach to content filtering. Content-filter policy settings are applied to inbound messages only.

Open anti-spam settings

If you are an admin of a different Office 365 plan, you access content filter settings directly through the Exchange admin center.

Customize anti-spam settings

In the Content filter window, do one of the following:

Double-click the default policy in order to edit this company-wide policy.

Click Add to create a new custom content-filter policy that can be applied to users, groups, and domains in your organization. You can also edit existing custom policies by double-clicking them.

For custom policies only, specify a name for this policy. You can optionally specify a more detailed description as well. You cannot rename the default policy.

Note: When creating a new policy, all configuration settings appear on a single screen, whereas when editing a policy you must navigate through different screens. The settings are the same in either case, but the rest of this procedure describes how to access these settings when editing a policy.

Click the Actions menu item in order to select the action to take on a message for each confidence threshold level (Spam which is considered suspected spam or High confidence spam which is considered certain spam). Possible values are:

Delete message Deletes the entire message, including all attachments.

Quarantine message Sends the message to quarantine instead of to the intended recipients. If you select this option, in the Retain spam for (days) input box, specify the number of days during which the spam message will be quarantined. (It will automatically be deleted after the time elapses. The default value is 15 days which is the maximum value. The minimum value is 1 day.)

Move message to Junk Email folder Sends the message to the Junk Email folder of the specified recipients. This is the default action for both confidence threshold levels.

Add X-header Sends the message to the specified recipients but adds X-header text to the message header that identifies it as spam. Using this text as an identifier, you can optionally create rules to filter or route the messages as needed. You can customize the X-header text using the Add this X-header text input box.

Prepend subject line with text Sends the message to the intended recipients but prepends the subject line with the text that you specify in the Prefix subject line with this text input box. Using this text as an identifier, you can optionally create rules to filter or route the messages as needed.

Redirect message to email address Sends the message to a designated email address instead of to the intended recipients. Specify the “redirect” address in the Redirect to this email address input box.

Click the International Spam menu item in order to filter email messages written in specific languages, or sent from specific countries or regions. The service will apply the configured action.

Select the Filter email messages written in the following languages check box to enable this functionality. Click Add, and then in the selection dialog box, make your choices (multi-selection is supported). Click ok to return to the International Spam pane.

Select the Filter email messages sent from the following countries or regions check box to enable this functionality. Click Add, and then in the selection dialog box, make your choices (multi-selection is supported). Click ok to return to the International Spam pane.

Click the Advanced Options menu item in order to specify On, Off, or Test for each advanced spam filtering option.

On Messages are actively filtered according to the rule associated with that option. Messages are either marked as spam or will have their spam scores increased, depending on which options you turn on.

Off No action is taken on messages that meet the spam filter criteria. All options are turned off by default.

Test No action is taken on messages that meet the spam filter criteria. However, messages can be tagged with an X-header before they are delivered to the intended recipient; this X-header lets you know which ASF option was matched and what would happen if the option was set to on. If you specified Test for any of the advanced options, you can configure the following test mode settings to be applied when a match is made to a test-enabled option:

None Take no test mode action on the message. This is the default.

Add the default test X-header text Selecting this option sends the message to the specified recipients but adds a special X-header to the message that identifies it as having matched a specific advanced spam filtering option.

Send a Bcc message to this address Selecting this option sends a blind carbon copy of the message to the email address you specify in the input box.

For custom policies only, click the Apply To menu item and then create a condition-based rule to specify the users, groups, and/or domains for whom to apply this policy. You can create multiple conditions provided that they are unique.

To select users, select The recipient is. In the subsequent dialog box, select one or more senders from your company from the user picker list and then click Add. To add senders who aren’t on the list, type their email addresses and click Check names. In this box, you can also use wildcards for multiple email addresses (for example: *@domainname). When you are done with your selections, click ok to return to the main screen.

To select groups, select The recipient is a member of and then, in the subsequent dialog box, select or specify the groups. Click ok to return to the main screen.

To select domains, select The recipient domain is and then, in the subsequent dialog box, add the domains. Click ok to return to the main screen.

You can create exceptions within the rule, for example you can filter messages from all domains except for a certain domain. Click Add exception and then create your exception conditions similar to the way you created the other conditions.

Click Save. A summary of your policy settings appears in the right pane.

Tips: Consider the following as you manage content filter policies in your organization:

Enabling and disabling policies You can select or clear the check boxes in the ENABLED column to enable or disable your custom policies. All policies are enabled by default, and the default policy cannot be disabled.

Deleting policies To delete a custom policy, select the policy, click the Delete, and then confirm that you want to delete the policy. The default policy cannot be deleted.

Prioritizing policies Custom policies always take precedence over the default policy. Custom policies run in the reverse order that you created them (from oldest to newest), but you can change the priority (running order) of your custom policies by clicking the up arrow and down arrow. The policy with a PRIORITY of 0 will run first, followed by 1, then 2, and so on.

How can I let users manage their spam-quarantined messages?

You can configure end-user spam notifications for the default company-wide content filter policy or for custom content filter policies that are applied to domains. Enabling end-user spam notification messages lets your end users self-manage their own spam-quarantined messages.

End-user spam notifications contain a list of all spam-quarantined messages that the end user has received during a time period that you configure (you can specify a value between 1 and 15 days). You can also configure the language in which the notification message is written. After receiving a notification message, end users can click to move the spam email to their inbox, or report the spam email as Not Junk, in which case it will be sent to the Microsoft Spam Analysis Team.

Select the content filter policy for which you want to enable end-user spam notifications (they are disabled by default).

In the right pane, where the summary information about your policy appears, click the Configure End-user spam notifications link.

In the subsequent dialog box, you can configure the following options:

Enable end-user spam notifications Select this check box in order to enable end-user spam notifications for this policy. (Conversely, if this policy is enabled, you can clear this check box in order to disable end-user spam notifications for this policy.)

Send end-user spam notifications every (days) Specify how often to send end-user spam notifications. The default is 3 days. You can specify between 1 and 15 days. If you specify 7 days, for example, the notification will include a list of all messages intended for that user within the past 7 days that were sent to the spam quarantine instead.

Notification language Using the drop-down list, select the language in which to write end-user spam notifications for this policy.

Things to know about bulk mailings and spam filtering

Inbound email You may find that some bulk mailings, like email newsletters you subscribe to, or notifications from large companies or social networking sites, end up in your Junk Email folder. If you want those messages to be delivered to your inbox, make sure to add the senders to your Safe Senders List in Outlook or Outlook Web App.

Outbound email To prevent outbound spamming, the service monitors the volume of outbound mail per connection and throttles the connection when it detects suspicious outbound mail volumes. The limit for the number of outbound messages sent through EOP is high enough to ensure that normal email communication is not treated as spam. The best way to send messages to a large group of users or external contacts is to use distribution groups stored in the shared address book for your organization. The distribution group is treated as a single recipient. If you want to send commercial bulk email messages, rather than sending outbound messages through EOP, we recommend that you either use a third-party email service provider (ESP).

How does virus protection work?

Exchange Online Protection combats malware, including viruses and spyware. Viruses infect other programs and data, and they spread throughout your computer looking for programs to infect. Spyware refers to malware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.

The EOP service offers multi-layered malware protection that’s designed to catch all known malware traveling in to and out from your organization.